Follow Slashdot stories on Twitter


Forgot your password?
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Comment Saw it comming (Score 1) 220

A decade ago I had a discussion with my then boss about how to respond to inbound attacks. It was clear then that the current methods of defense were wrong by any measure you care to use. They haven't gotten any better in a decade. They've only increased in cost and complexity. The basic failure can be demonstrated by the metaphor of feudal Europe, since I know all of you are aware of your western civ history. Our current defense methods are akin to various forms of dumping molten lead onto the Visigoths below are 'fortified' walls. The problem is that the Visigoths are already in our land, destroying things along their way to the castle. Of course the metaphor breaks down because these Visigoths replicate in place; get stronger, faster and more sinister in their siege weapons with nothing more than the passage of time and no matter how many we disable there are always more than there were a minute ago.

So what to do? Given that the attack is always through an intermediate entity, I propose using a biological analog to address it. Treat it is a diseased state and execute a vaccination. Since the intermediate system has already been compromised, as is demonstrated by the fact that it is currently an intermediate for an attack, it would be best to rest control of it from its current commander. We can certainly discuss what that means or how to accomplish it, but that is the best solution. Remove the Visigoths from battle rather than attempting to thwart their attack on us. The other side of this equation, and the thing its success depends on is automation. The takeover system must be able to respond to the attack within a few packets and rest control a short time later. Otherwise you have accomplished nothing. Waiting until the entire village is infected with Ebola before you send in the inoculant will only result in more deaths. Waiting for a human being to respond is similarly inappropriate in this situation.

This is not an attack. It is a method of removing resources from an attacker. If the takeover were done correctly, say leaving the affected machine in a state where it was no longer vulnerable to the exploit the attacker used originally to take control, you have in fact helped the Internet over all. You have inoculated another machine and the pool of available resources to attackers has diminished. If you can do it fast enough you can rest an entire farm from its nefarious controlling entity and put them back at square one. This method levels the playing field as every attack is therefore a chance to lose all your resources. It requires no coordination to execute, no notice since the machine is already infected, and there is no data breach involved.

The real question is can it be done?

Give me a minute.....

Comment Go ahead, take my stuff (Score 1) 453

My personal laptop is setup to wipe itself if you fail to give the correct credentials enough times. "No" you may not have my password, or better yet, "Password99" Try using that one a few times ;-)
Of course there are things like Google Docs, so there isn't anything on the machine itself. I can stop at a store on the way home from the airport, pick up a cheap replacement and be back in business in the time it takes to logon to a hotspot.
And I don't have anything to hide. This whole process was setup when I lost a machine a while back. The machine is now immaterial.
So go ahead and take my 'portal'. You'll get nothing, and I'll be in touch with my lawyer before you can even attempt a second login.

Submission + - H-1B visas are bad news for older workers->

hwstar writes: The H-1B visa reform contained in S744 will result in continued high unemployment of older experienced US citizens, and make it very difficult for older workers to remain in a technical field.

There is a caviler attitude being propagated by high tech executives regarding older STEM workers:

The 29-year-old self-proclaimed social media phenom also quipped, “Young people are just smarter,” something he later apologized for. However, Zuckerberg also recognizes the profitably of hiring H-1B visa holders over American kids. Critics call it the immigration lottery, as most foreign students will work twice the hours for half the pay as their U.S. counterparts in order to gain legal status in America.

The industry uses younger STEM workers because they work longer hours for less pay then when they
cast them aside:

"Oftentimes the result of the H-1B visa program is that 35+ and older workers are thrown away like yesterday’s newspaper. Nelson said the Senate’s comprehensive immigration reform bill S744 would be a disaster for Americans."

The article also describes that "dark money" is being used to lobby Congress for H1B reform:

With the help of political PACs, STEM employers use “dark money” (a term used by 501(c)(4)s and 501(c)(6)s donors who wish to remain anonymous), in a calculated effort to continue the flow of foreign workers.

With the help of political PACs, STEM employers use “dark money” (a term used by 501(c)(4)s and 501(c)(6)s donors who wish to remain anonymous), in a calculated effort to continue the flow of foreign workers.

Finally, Salary parity between H-1B and Domestic technical workers is a farce:

Rep. Zoe Lofgren told Computerworld that “the average wage for computer systems analysts in her district is $92,000, but the U.S. government prevailing wage rate for H-1B workers in the same job currently stands at $52,000, or $40,000 less. ‘Small wonder there's a problem here, we can't have people coming in and undercutting the American educated workforce.’”

Link to Original Source

Comment Re:Chilling (Score 1) 306

The implied objective noun (I intended) was of the NSA, not the records themselves.

IMHO I think the collection of data such as that which the NSA has gathered is in no way legal in any way. See 1st and 4th amendments. Given that, the possible utility of the data is by no means sufficient cause to allow it to continue to exist. We either are a society that follows the rule of law, or we are not. If our highest governmental agencies can't comply with our constitutionally guaranteed rights, how are we the people supposed to have any faith in our government. If they can ignore any law at any point for their convenience, how our we then protected from abuse?

Comment Chilling (Score 4, Interesting) 306

"Outside of our borders, the NSA's more aggressive. It's not constrained by laws"

Uhm, I guess the laws of foreign countries, and international law don't apply to our spy organizations. I'm also sure the constraint of our laws (1st Amendment, 4th Amendment) can be ignored at will as well. After all we are just trying to find all the terrorists, right ?!? (You know like the First Unitarian Church of Los Angeles -

As Ben Franklin put it, "They who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -

We need to simply shut down the NSA altogether, burn their records in effigy, and recall every elected official who ever voted in favor of their activities, or their funding.

Submission + - Suggested Poll

DFDumont writes: Given the various tones and range of opinions I find in Slashdot comments, I wonder if there's any correlation to geography or demography? Where are most Slashdot readers living? What areas are not represented well? How many of us are Americas based, versus EMEA or APAC? Are we living on the coasts or in the interior? Cities or rural? Are we college educated? Are we mostly under 25 or over 40?
Just curious, although I think it would make an interesting study.

Comment Favoring nothing, how about blocking some (Score 1) 2

Irrespective of the business opportunities afforded ISP's and backbone providers by offering 'premium' transmission services, I'd like to see someone propose limiting or blocking nefarious traffic. For instance, anything that violates an established RFC, (Think ping of death) or port scanning. We have left the infancy stage of the Internet and can no longer trust all participants to "play by the rules". They aren't. The only facility in place to stop such traffic is the one with the registered BGP AS#, not your home or corporate firewall. We could reasonably block 80% of the attack traffic by simple firewall rules at every meet point between providers that filtered on 20% of well known attack vectors. (See Pareto Principle)

Comment Held to a higher standard (Score 2) 409

Those who are employed as public servants, be they police or fire or even plain old government workers, should expect to be held to a higher standard. You are working for the public, not some company or even some NPO. You work for everyone. With that comes an additional level of responsibility, and thus additional scrutiny.
I find it disturbing when a police cruiser is being driven recklessly, particularly when the lights aren't flashing. I similarly find it amusing that police don't want to be monitored - given recent stories about officers caught spending their patrol time sleeping. (Do a Google search. Its rampant enough that you'll find plenty of hits) If the GPS says the cruiser hasn't moved for the past 60 minutes, we probably know what's going on.
As to the remarks herein about attitudes of officers towards the citizenry, I concur. Every interaction I've had with uniformed officers has been identical. I'm the idiot for asking directions. I'm the one at fault for whatever is their current interest. I'm the criminal. I'm the one that needs to be 'dealt with'. Whatever happened to "Serve and Protect"?
Finally, we have far too many police. If the only thing your officers have to do is to sit along side the roads and point a radar gun, then you have too many police. Police unions will never back down from forcing city and county governments to hire ever more patrolmen. It is counter to their interests. However the number of patrolmen on staff should be dictated by the crime rate and the response requirements of the community - not its population.

Comment Passwords are not secure (Score 1) 330

This box was built with off the shelf components and runs on an open source plaform. Your passwords are not effective. I don't care how much thought and obfusction you think you've injected into them, how long they are or how often you change them. It no longer matters. What we need to do now is change the game. We need to remove the human element. We need to automate. And by that I mean much more than scripting changes. We need to automate compliance. Devices have stipulated software and configuration based on the service they provide, and a system exists which enforces that stance. Just because you know the administrator or root password, doesn't mean you can load software onto the server. Just because you know the enable password doesn't mean you can change the router configuration. You may be able to cause a change to occur, but the system will roll it back or unload that software if it violates the policies that govern that device. If your PC sundennly starts blasting out traffic to all sorts of Internet addresses, your switch port gets turned off, or your wireless session gets dropped.

The idea is that humans, engineers and administrators tell the supervisory system how the services, and devices should behave; what components and configuration details they should exhibit and on what schedule changes can be performed. But a human NEVER makes a change. If they do, it's undone, removed, uninstalled or otherwise mitigated to return the device to its prescribed state. A very simple clustering/voting kind of setup could keep the supervisory system itself in its prescribed state.

This has the added benefit that the new slave labor situation present in nearly every IT department comes to an end. No longer are junior engineers relegated to performing endless mindnumbingly simplistic operations that are of litle actual value to the organization, add nothing to the engineers resume and are mostly done poorly. Humans are allowed to do what they do best. Think. Plan. Design. And computer systems take on the job that THEY do best. Execute.


Submission + - Yahoo! Still down-> 1

DFDumont writes: "Does anyone have an idea of what's wrong with Yahoo? Its now day two of their inability to map to my user ID, and I cannot authenticate anything, (My portal, mail, maps, messenger). I tried the password recovery feature, even though I'm quite certain I know my password but it fails to load the toolbar. My account with Yahoo! is ancient, even older than my Slashdot account ;-)

The front public page simply says there's a temporary error, but 36 hours is not temporary.

I'm trying both Firefox and IE and both have the same behavior. Any news?

Dennis Dumont"

Link to Original Source

"Sometimes insanity is the only alternative" -- button at a Science Fiction convention.